[PATCH 2/5] crypto/cnxk: support AES-GMAC

[Anoob Joseph <anoobj@marvell.com>]

From: Archana Muniganti <marchana@marvell.com>

Added lookaside IPsec AES-GMAC support in CNXK PMD.

Signed-off-by: Archana Muniganti <marchana@marvell.com>
Acked-by: Anoob Joseph <anoobj@marvell.com>
---
 doc/guides/cryptodevs/cnxk.rst                    |  2 ++
 doc/guides/rel_notes/release_22_07.rst            |  1 +
 drivers/common/cnxk/cnxk_security.c               |  8 ++++++
 drivers/crypto/cnxk/cn10k_ipsec.c                 |  3 ++
 drivers/crypto/cnxk/cn10k_ipsec_la_ops.h          |  3 +-
 drivers/crypto/cnxk/cn9k_ipsec.c                  | 35 ++++++++++++++++-------
 drivers/crypto/cnxk/cnxk_cryptodev.h              |  2 +-
 drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c | 25 ++++++++++++++++
 drivers/crypto/cnxk/cnxk_ipsec.h                  |  3 ++
 9 files changed, 70 insertions(+), 12 deletions(-)

diff --git a/doc/guides/cryptodevs/cnxk.rst b/doc/guides/cryptodevs/cnxk.rst
index 19c4a8b..baf0e3c 100644
--- a/doc/guides/cryptodevs/cnxk.rst
+++ b/doc/guides/cryptodevs/cnxk.rst
@@ -274,6 +274,7 @@ Auth algorithms
 * SHA384-192-HMAC
 * SHA512-256-HMAC
 * AES-XCBC-96
+* AES-GMAC
 
 CN10XX Features supported
 ~~~~~~~~~~~~~~~~~~~~~~~~~
@@ -308,3 +309,4 @@ Auth algorithms
 * SHA384-192-HMAC
 * SHA512-256-HMAC
 * AES-XCBC-96
+* AES-GMAC
diff --git a/doc/guides/rel_notes/release_22_07.rst b/doc/guides/rel_notes/release_22_07.rst
index 68857d4..a5ac90d 100644
--- a/doc/guides/rel_notes/release_22_07.rst
+++ b/doc/guides/rel_notes/release_22_07.rst
@@ -58,6 +58,7 @@ New Features
 * **Updated Marvell cnxk crypto PMD.**
 
   * Added AH mode support in lookaside protocol (IPsec) for CN9K & CN10K.
+  * Added AES-GMAC support in lookaside protocol (IPsec) for CN9K & CN10K.
 
 
 Removed Items
diff --git a/drivers/common/cnxk/cnxk_security.c b/drivers/common/cnxk/cnxk_security.c
index afefbd2..69a962d 100644
--- a/drivers/common/cnxk/cnxk_security.c
+++ b/drivers/common/cnxk/cnxk_security.c
@@ -155,6 +155,14 @@ ot_ipsec_sa_common_param_fill(union roc_ot_ipsec_sa_word2 *w2,
 		case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
 			w2->s.auth_type = ROC_IE_OT_SA_AUTH_AES_XCBC_128;
 			break;
+		case RTE_CRYPTO_AUTH_AES_GMAC:
+			w2->s.auth_type = ROC_IE_OT_SA_AUTH_AES_GMAC;
+			key = auth_xfrm->auth.key.data;
+			length = auth_xfrm->auth.key.length;
+			memcpy(salt_key, &ipsec_xfrm->salt, 4);
+			tmp_salt = (uint32_t *)salt_key;
+			*tmp_salt = rte_be_to_cpu_32(*tmp_salt);
+			break;
 		default:
 			return -ENOTSUP;
 		}
diff --git a/drivers/crypto/cnxk/cn10k_ipsec.c b/drivers/crypto/cnxk/cn10k_ipsec.c
index 0c9e244..3a2bf0f 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec.c
+++ b/drivers/crypto/cnxk/cn10k_ipsec.c
@@ -77,6 +77,9 @@ cn10k_ipsec_outb_sa_create(struct roc_cpt *roc_cpt, struct roc_cpt_lf *lf,
 		} else if (crypto_xfrm->type == RTE_CRYPTO_SYM_XFORM_CIPHER) {
 			sa->iv_offset = crypto_xfrm->cipher.iv.offset;
 			sa->iv_length = crypto_xfrm->cipher.iv.length;
+		} else {
+			sa->iv_offset = crypto_xfrm->auth.iv.offset;
+			sa->iv_length = crypto_xfrm->auth.iv.length;
 		}
 	}
 #else
diff --git a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
index f2d8122..66cfe6c 100644
--- a/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
+++ b/drivers/crypto/cnxk/cn10k_ipsec_la_ops.h
@@ -65,7 +65,8 @@ process_outb_sa(struct roc_cpt_lf *lf, struct rte_crypto_op *cop,
 
 #ifdef LA_IPSEC_DEBUG
 	if (sess->out_sa.w2.s.iv_src == ROC_IE_OT_SA_IV_SRC_FROM_SA) {
-		if (sess->out_sa.w2.s.enc_type == ROC_IE_OT_SA_ENC_AES_GCM)
+		if (sess->out_sa.w2.s.enc_type == ROC_IE_OT_SA_ENC_AES_GCM ||
+		    sess->out_sa.w2.s.auth_type == ROC_IE_OT_SA_AUTH_AES_GMAC)
 			ipsec_po_sa_aes_gcm_iv_set(sess, cop);
 		else
 			ipsec_po_sa_iv_set(sess, cop);
diff --git a/drivers/crypto/cnxk/cn9k_ipsec.c b/drivers/crypto/cnxk/cn9k_ipsec.c
index eaa3698..82b8dae 100644
--- a/drivers/crypto/cnxk/cn9k_ipsec.c
+++ b/drivers/crypto/cnxk/cn9k_ipsec.c
@@ -211,6 +211,7 @@ ipsec_sa_ctl_set(struct rte_security_ipsec_xform *ipsec,
 			break;
 		case RTE_CRYPTO_AUTH_AES_GMAC:
 			ctl->auth_type = ROC_IE_ON_SA_AUTH_AES_GMAC;
+			aes_key_len = auth_xform->auth.key.length;
 			break;
 		case RTE_CRYPTO_AUTH_AES_XCBC_MAC:
 			ctl->auth_type = ROC_IE_ON_SA_AUTH_AES_XCBC_128;
@@ -265,7 +266,7 @@ fill_ipsec_common_sa(struct rte_security_ipsec_xform *ipsec,
 		     struct rte_crypto_sym_xform *crypto_xform,
 		     struct roc_ie_on_common_sa *common_sa)
 {
-	struct rte_crypto_sym_xform *cipher_xform;
+	struct rte_crypto_sym_xform *cipher_xform, *auth_xform;
 	const uint8_t *cipher_key;
 	int cipher_key_len = 0;
 	int ret;
@@ -279,13 +280,13 @@ fill_ipsec_common_sa(struct rte_security_ipsec_xform *ipsec,
 		common_sa->esn_hi = ipsec->esn.hi;
 	}
 
-	if (ipsec->proto == RTE_SECURITY_IPSEC_SA_PROTO_AH)
-		return 0;
-
-	if (ipsec->direction == RTE_SECURITY_IPSEC_SA_DIR_INGRESS)
+	if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AUTH) {
+		auth_xform = crypto_xform;
 		cipher_xform = crypto_xform->next;
-	else
+	} else {
 		cipher_xform = crypto_xform;
+		auth_xform = crypto_xform->next;
+	}
 
 	if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD) {
 		if (crypto_xform->aead.algo == RTE_CRYPTO_AEAD_AES_GCM)
@@ -293,8 +294,16 @@ fill_ipsec_common_sa(struct rte_security_ipsec_xform *ipsec,
 		cipher_key = crypto_xform->aead.key.data;
 		cipher_key_len = crypto_xform->aead.key.length;
 	} else {
-		cipher_key = cipher_xform->cipher.key.data;
-		cipher_key_len = cipher_xform->cipher.key.length;
+		if (cipher_xform) {
+			cipher_key = cipher_xform->cipher.key.data;
+			cipher_key_len = cipher_xform->cipher.key.length;
+		}
+
+		if (auth_xform->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC) {
+			memcpy(common_sa->iv.gcm.nonce, &ipsec->salt, 4);
+			cipher_key = auth_xform->auth.key.data;
+			cipher_key_len = auth_xform->auth.key.length;
+		}
 	}
 
 	if (cipher_key_len != 0)
@@ -358,7 +367,8 @@ cn9k_ipsec_outb_sa_create(struct cnxk_cpt_qp *qp,
 		return ret;
 
 	if (ctl->enc_type == ROC_IE_ON_SA_ENC_AES_GCM ||
-	    ctl->auth_type == ROC_IE_ON_SA_AUTH_NULL) {
+	    ctl->auth_type == ROC_IE_ON_SA_AUTH_NULL ||
+	    ctl->auth_type == ROC_IE_ON_SA_AUTH_AES_GMAC) {
 		template = &out_sa->aes_gcm.template;
 		ctx_len = offsetof(struct roc_ie_on_outb_sa, aes_gcm.template);
 	} else {
@@ -453,6 +463,7 @@ cn9k_ipsec_outb_sa_create(struct cnxk_cpt_qp *qp,
 		auth_key_len = auth_xform->auth.key.length;
 
 		switch (auth_xform->auth.algo) {
+		case RTE_CRYPTO_AUTH_AES_GMAC:
 		case RTE_CRYPTO_AUTH_NULL:
 			break;
 		case RTE_CRYPTO_AUTH_SHA1_HMAC:
@@ -497,6 +508,9 @@ cn9k_ipsec_outb_sa_create(struct cnxk_cpt_qp *qp,
 		} else if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_CIPHER) {
 			sa->cipher_iv_off = crypto_xform->cipher.iv.offset;
 			sa->cipher_iv_len = crypto_xform->cipher.iv.length;
+		} else {
+			sa->cipher_iv_off = crypto_xform->auth.iv.offset;
+			sa->cipher_iv_len = crypto_xform->auth.iv.length;
 		}
 	}
 #else
@@ -553,7 +567,8 @@ cn9k_ipsec_inb_sa_create(struct cnxk_cpt_qp *qp,
 		return ret;
 
 	if (crypto_xform->type == RTE_CRYPTO_SYM_XFORM_AEAD ||
-	    auth_xform->auth.algo == RTE_CRYPTO_AUTH_NULL) {
+	    auth_xform->auth.algo == RTE_CRYPTO_AUTH_NULL ||
+	    auth_xform->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC) {
 		ctx_len = offsetof(struct roc_ie_on_inb_sa,
 				   sha1_or_gcm.hmac_key[0]);
 	} else {
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev.h b/drivers/crypto/cnxk/cnxk_cryptodev.h
index 542c93b..fe2904b 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev.h
+++ b/drivers/crypto/cnxk/cnxk_cryptodev.h
@@ -11,7 +11,7 @@
 #include "roc_cpt.h"
 
 #define CNXK_CPT_MAX_CAPS	 34
-#define CNXK_SEC_CRYPTO_MAX_CAPS 11
+#define CNXK_SEC_CRYPTO_MAX_CAPS 12
 #define CNXK_SEC_MAX_CAPS	 9
 #define CNXK_AE_EC_ID_MAX	 8
 /**
diff --git a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
index efd53db..98b002d 100644
--- a/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
+++ b/drivers/crypto/cnxk/cnxk_cryptodev_capabilities.c
@@ -835,6 +835,31 @@ static const struct rte_cryptodev_capabilities sec_caps_aes[] = {
 			}, }
 		}, }
 	},
+	{	/* AES GMAC (AUTH) */
+		.op = RTE_CRYPTO_OP_TYPE_SYMMETRIC,
+		{.sym = {
+			.xform_type = RTE_CRYPTO_SYM_XFORM_AUTH,
+			{.auth = {
+				.algo = RTE_CRYPTO_AUTH_AES_GMAC,
+				.block_size = 16,
+				.key_size = {
+					.min = 16,
+					.max = 32,
+					.increment = 8
+				},
+				.digest_size = {
+					.min = 8,
+					.max = 16,
+					.increment = 4
+				},
+				.iv_size = {
+					.min = 12,
+					.max = 12,
+					.increment = 0
+				}
+			}, }
+		}, }
+	},
 };
 
 static const struct rte_cryptodev_capabilities sec_caps_sha1_sha2[] = {
diff --git a/drivers/crypto/cnxk/cnxk_ipsec.h b/drivers/crypto/cnxk/cnxk_ipsec.h
index 1524217..171ea27 100644
--- a/drivers/crypto/cnxk/cnxk_ipsec.h
+++ b/drivers/crypto/cnxk/cnxk_ipsec.h
@@ -59,6 +59,9 @@ ipsec_xform_auth_verify(struct rte_crypto_sym_xform *crypto_xform)
 	} else if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_SHA512_HMAC) {
 		if (keylen == 64)
 			return 0;
+	} else if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_AES_GMAC) {
+		if (keylen >= 16 && keylen <= 32)
+			return 0;
 	}
 
 	if (crypto_xform->auth.algo == RTE_CRYPTO_AUTH_AES_XCBC_MAC &&
-- 
2.7.4